From 535276089ff8aeee33a9cefc885736a2d68f8535 Mon Sep 17 00:00:00 2001
From: Tastatur <ihdidg.d049j@aleeas.com>
Date: Wed, 27 Dec 2023 15:07:54 +0100
Subject: [PATCH] Added automatic decryption page

---
 .../post-install/automatic-decryption.md      | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/docs/alpine-desktop-setup/post-install/automatic-decryption.md b/docs/alpine-desktop-setup/post-install/automatic-decryption.md
index e69de29..9d6cd38 100644
--- a/docs/alpine-desktop-setup/post-install/automatic-decryption.md
+++ b/docs/alpine-desktop-setup/post-install/automatic-decryption.md
@@ -0,0 +1,31 @@
+# Automatic decryption
+
+Our system can utilize it's TPM2 to automatically decrypt. This can be done because the bootchain is secure and it's a bit tedious to enter an encryption password everytime the system boots up.
+
+First off the packages `clevis` and `tpm2-tools` have to be installed:
+
+```
+$ <nix-env -iA nixpkgs.clevis>
+# <apk add tpm2-tools>
+```
+
+> Not yet doable (but will be don't worry ;) )
+
+Now bind our LUKS volume to TPM with clevis:
+
+```
+# clevis luks bind -d /dev/<disk2> tpm2 '{"pcr_bank":"sha256","pcr_ids":"1,7"}'
+```
+
+After rebooting it should automatically decrypt your disk.
+
+Clevis can be envoked again if you have made any changes to secureboot or system and it doesn't automatically decrypt the disk.
+
+First find the keyslot clevis is using and then "regen" the key:
+
+```
+# cryptsetup luksDump /dev/<disk2>
+# clevis luks regen -d /dev/<disk2> -s <keyslot>
+```
+
+It should now work again.